← Back to Skills Marketplace
376
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install symphony
Description
Set up and run OpenAI Symphony with isolated issue workspaces, workflow contracts, and unattended Codex orchestration for Linear projects.
Usage Guidance
This skill appears to do what it claims, but it operates at a high trust level. Before installing or enabling unattended runs: 1) only use a test Linear project and a non-production repository until you validate one end-to-end run; 2) minimize token scopes — prefer a least-privilege Git token or deploy key rather than a broad GITHUB_TOKEN; 3) prefer SSH key auth if you don't want to store a token; 4) verify the 'codex' binary is legitimate and understand whether it uses OPENAI_API_KEY or a separate login session; 5) inspect any repository hooks (after_create, before_run, etc.) you will run — hooks can execute arbitrary code from the repo; 6) keep workspace root on a dedicated path (not a parent/shared directory) and do not store secrets in ~/symphony/ memory files; 7) require explicit user approval before enabling unattended/autonomous operation; and 8) if provenance matters, confirm the referenced upstream implementation (e.g., the GitHub repo cited in docs) before trusting the skill. If you want, provide the exact token scopes you plan to use and the location of the codex binary and I can give more specific hardening steps.
Capability Analysis
Type: OpenClaw Skill
Name: symphony
Version: 1.0.0
The OpenAI Symphony skill provides unattended orchestration for Linear issues and Git repositories, requiring high-privilege credentials (LINEAR_API_KEY, GITHUB_TOKEN) and executing shell hooks (SKILL.md, WORKFLOW.md). While the skill includes comprehensive safety documentation and isolation policies (safety-guardrails.md), the inherent risks of shell execution and broad API access for its stated purpose align with the suspicious classification. No evidence of intentional malice or data exfiltration was identified.
Capability Assessment
Purpose & Capability
Name/description (Linear + Codex orchestration) align with required binaries (git, codex), required env vars (LINEAR_API_KEY, OPENAI_API_KEY, GITHUB_TOKEN), and the workspace config path. These pieces are what you would expect for a service that polls Linear, runs Codex, and clones/pushes repos. Minor inconsistency: documentation accepts either OPENAI_API_KEY or an active 'codex' login session and supports SSH key auth, but manifest lists OPENAI_API_KEY and GITHUB_TOKEN as required — acceptable but slightly stricter than the prose.
Instruction Scope
SKILL.md and the included docs keep behavior scoped to per-issue workspaces and insist on user approval before unattended operation. However, the skill explicitly runs repo hooks (git clone and hook scripts) and will drive a local codex app-server; those hooks can execute arbitrary code from a repository. The skill includes guardrails and advises test-project rollouts, but executing hooks is an expected, high-risk part of the stated purpose and requires the user to ensure repositories/hooks are trusted.
Install Mechanism
Instruction-only skill with no install spec or embedded code files — lowest install risk. The runtime behavior relies on existing system binaries (git, codex). Because there is no installer that downloads/extracts code, nothing new is written to disk by an install step beyond the memory/workspace files the skill itself instructs to create at runtime.
Credentials
Requested environment variables (LINEAR_API_KEY, OPENAI_API_KEY, GITHUB_TOKEN) are proportionate to the capability: Linear API for tracker access, OpenAI/Codex auth for agent execution, and GitHub credentials for clone/fetch/push. Caveats: the skill's prose allows SSH keys as an alternative to GITHUB_TOKEN and also mentions codex login session as an alternative to OPENAI_API_KEY — the manifest's required list is somewhat stricter than the guidance. The skill stores runtime memory under ~/symphony/ and explicitly advises not to store secrets there.
Persistence & Privilege
The skill persists state to ~/symphony/ (memory, run-history, incidents) and is allowed autonomous invocation (platform default). It does not request 'always: true' or modify other skills. Because it performs unattended orchestration and can run hooks, persistent write access to its own workspace and repo operations are expected; this increases blast radius only insofar as you grant the requested credentials and approvals.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install symphony - After installation, invoke the skill by name or use
/symphony - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release with workflow templates, runbook guidance, and safety guardrails for operating Symphony in trusted environments.
Metadata
Frequently Asked Questions
What is OpenAI Symphony?
Set up and run OpenAI Symphony with isolated issue workspaces, workflow contracts, and unattended Codex orchestration for Linear projects. It is an AI Agent Skill for Claude Code / OpenClaw, with 376 downloads so far.
How do I install OpenAI Symphony?
Run "/install symphony" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenAI Symphony free?
Yes, OpenAI Symphony is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OpenAI Symphony support?
OpenAI Symphony is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).
Who created OpenAI Symphony?
It is built and maintained by Iván (@ivangdavila); the current version is v1.0.0.
More Skills